Post navigation

The Problem of Overbroad Technology Legislation

Those closest to Aaron certainly believe so. His family, in a statement, decried the “intimidation and prosecutorial overreach” of the US Attorney’s Office. At the funeral, Aaron’s father remarkedthat his son had been “killed by the government.” On the other hand, it has been widely documented — perhaps no more poignantly than by Aaron, himself — that the young programmer had long suffered from depression.

Regardless, we need not ascribe blame for Aaron’s suicide to realize that the stiff penalties and heavy-handed prosecution Aaron faced are both dangerous and asinine. Regrettably, they are also not outliers. Instead, they are the product of decades of vague and uninformed technology legislation and enforcement.

Law and Technology

In 2006, the late Senator Ted Stevens (R-AK) famously described the Internet as a “series of tubes,” providing fodder for late-night comics and activists who argued that an aging Congress was woefully out of touch with the realities of technology. Despite lawmakers’ limited understanding, though, the impact the law has on technological change can be profound.

To prove that aphorism, one need look no further than the historical development of peer-to-peer (P2P) file sharing. Since Napster broke onto the scene in 1999, lawmakers, courts, and P2P providers have been engaged in a game of legal cat-and-mouse. When Napster’s liability was predicated on its use of centralized servers to list and index available files, a new generation of P2P providers created decentralized networks. When decentralized Grokster was found liable for copyright infringement under a new theory of inducement liability, BitTorrent (an innovative and relatively unlitigated protocol) gained prominence.

The growth of P2P file-sharing highlights two truths about technology and law — first, that law has the ability to affect the trajectory of technological advancement, and second, that technologists may ultimately be able to find and exploit the gray areas in the law. In many ways, innovative technology is much like a young sapling in a dense forest — angling and contouring to reach to the limited sunlight available.

Vague and Overbroad Laws

One method lawmakers have used to ensure that laws continue to work in the face of new and unanticipated technology is to pass legislation with broad, encompassing language. While doing so might accomplish the intended task, such legislation can often end up being used in ways wholly unforeseen (and arguably unwanted) by legislators. An example of this can be found in Section 1201 of the 1998 Digital Millenium Copyright Act (DMCA). The provision criminalized circumvention of “technological protection measures” that protect access to or prevent copying of copyrightable works. The intended effect of the law was to help copyright owners curb piracy of digitally disseminated works by ensuring that any technological “locks” would not be quickly broken.

In reality, the law has been used to criminalize far broader activity than piracy. In 2010, the Ninth Circuit ruled on MDY Industries, LLC v. Blizzard Entertainment, Inc., a suit brought by the makers of the popular online game World of Warcraft. At issue was a program known as Glider, a bot automating the play of early levels of the game. Because Blizzard had sought to prevent bots through its own software (and because Glider had found a way around these ‘protection measures’), the court held that Glider’s creator had violated the DMCA.

While grounded in sound logic by the court, the outcome was irrational. In effect, a law intended to defend against piracy had made it a criminal act to cheat in a video game.

Aaron’s Charges

Aaron wasn’t indicted for a violation of §1201. The law he allegedly violated, though — the Computer Fraud and Abuse Act (CFAA) — is plagued with similar vagueness and absurdity,cataloged expertly by Marcia Hofmann of the Electronic Frontier Foundation (EFF). In her piece, she highlights the law’s reliance on the undefined phrase “exceeds authorized access.” As she notes, the broad language has often been used to criminalize activity that exceeds the law’s intent of preventing hacking.

Aaron’s indictment was much of the same — the government’s allegations seem to have relied heavily on the idea that Aaron had “exceeded his authority” by violating JSTOR and MIT’s terms of service and by bypassing restrictions JSTOR had put into place. But, as Aaron’s would-have-been expert witness detailed, this was far from a “criminal hack.” While the indictment breathlessly mines for salacious bits (like Aaron breaking into a wiring closet and seeking to avoid capture with a bicycle helmet mask), the reality of what Aaron did is far more benign — he broke the rules of a website and service provider. Yet, because of the overbroad and undefined language of the CFAA, prosecutors were able to treat the violation of JSTOR’s terms of service as a violation of federal law.

Where to Go From Here

Aaron’s death need not be in vain. In the past week, Representative Zoe Lofgren (D-CA) announced a bill known as Aaron’s Law, which would amend the CFAA to ensure that breaches of terms of service agreements would not independently constitute “exceeding authorized access.” This is a great first step, and something that should be passed by Congress immediately.

The legislative patch, though, does not solve all of our problems. Congress is still woefully under-informed about technology and still subject to powerful lobbying efforts that lead to the passage of vague and overbroad laws. The cruel irony of Aaron’s suicide is that he was among the best situated to create an effective change agent for Congress; his organization, Demand Progress, was instrumental in preventing the passage of the controversial Stop Online Piracy Act. Today, Aaron’s death serves as a tragic reminder of the potential impact of the law on technology and technologists. Tomorrow, we must hope it inspires the technological community to take a more active role in legislation, education, and congressional outreach.